OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: OpenBSD remote root
From: Typo Princep (typoscene.at)
Date: Sun Dec 17 2000 - 23:26:17 CST


Hi,

I'll have to clarify a few things before pointing you to the warez.

On 12/04/2000 02:52:48 Kristian Vlaardingerbroek sent a mail
( http://www.geocrawler.com/archives/3/254/2000/12/50 )
to the openbsd bugs mailinglist with the descriptive subject:

Remote hole in ftpd that can lead to root compromise

In that mail, he first pointed out that "your 3 years of remote safeness
have just ended", and then provided technical information for fixing a
serious ftpd bug. But he made a minor error that made the fix ineffective.
He also said that he knows of a private exploit for this vulnerability, and
in another mail pointed out that Scrippie was the one who found the bug.

The first reply that came was a short one:
"ftpd is not enabled in the default install since 2.6."

That sales pitch stuff is a weird thing to worry about when in fact
all OpenBSD installs since at least 2.4 (ok, only those with open ftp,
enabled MKD and writable incoming) are susceptible to this bug which
allows remote root compromise. (NetBSD probably vuln too, FreeBSD not,
linux/x86 not because of 4byte alignment of memory)

Some of the later replies corrected the technical error Kristian made,
and provided a cleaner fix.

Next we have evidence that a wargame's openbsd 2.6 server has been
rooted on December 6th, leaving clear traces of the exploit's nature in
utmp and other logfiles. (been cleaned in the meanwhile)

December 6th... that was just 2 days after the initial bug report,
and the exploit used seems to be a rewrite of the one Kristian refered to.

Now the funny thing is that 2 weeks have passed since the initial bugreport,
to the openbsd bugs mailinglist, and NetBSD in the meanwhile seems to have
put OpenBSDs bugfix into cvs.

But noone has made the userbase aware of the security problems nor has any
further discussion taken place on obsd-bugs.

That, coupled with the claim that that OpenBSD doesnt take a security
through obscurity approach, but a serious one, makes me fairly suspicious.

I think the 'Security through Obscurity' dogma either is misused or plain
wrong, because i feel a lot safer on a Linux System with some patches
and replacement daemons that, according to popular opinion, provide no
security but just obscurity.

Im talking about kernel, glibc, gcc, ... patches that do things like
change the memory layout, remove %n format support from libc, or make
certain memory regions nonexecutable, and well designed mini daemons
to handle simple protocols like auth, http, ftp and pop3.

So to counter this trend in the security community, and because a leak
was inevitable anyway, caddis and me decided to release his oftpd exploit.

I think this may be a good way to prove that depending on a central authority
to protect you of all security problems is a bad idea. (instead try to make
your system more obscure and you'll probably survive the next 0day sploit)..

the exploit is available from http://teso.scene.at/.
And a patch for ftpd is available from the obsd bugs mailinglist
archive at geocrawler:

     http://www.geocrawler.com/archives/3/254/2000/12/50/4767599/

Regards,
    typo